Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page contains information, code snippets and other information regarding using Keycloak with mod_auth_openidc.

Getting Keycloak up and running

Keycloak is available from keycloak.org.  It is an application embedded in a JBoss WildFly JEE container.  The easiest way to get it working is to use an existing docker container.  This container is set up to use with a MySQL datastore.  To run Keycloak with a dockerized version of MySQL, try this:

$ docker run --name mysql -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e MYSQL_ROOT_PASSWORD=password -d mysql
$ docker run -it --link mysql:mysql -e MYSQL_DATABASE=keycloak -e MYSQL_USER=keycloak -e MYSQL_PASSWORD=keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8080:8080 -p 9990:9990 jboss/keycloak-mysql

A docker-compose.yml file for the latter command is:

keycloak:
    image: jboss/keycloak-mysql
    environment:
        MYSQL_DATABASE: keycloak
        MYSQL_USER: keycloak
        MYSQL_PASSWORD: keycloak
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: admin
    ports:
        - "8080:8080"
        - "9990:9990"
    external_links:
        - mysql:mysql

Keycloak will create and populate the required database tables on initial startup.  The admin console should then be available via http://localhost:8080 and the Admin Console link using the KEYCLOAK_* credentials from the above command (admin/admin in this example).

Adding a realm manually

Initially, Keycloak has only one admin realm, which should be used for admin purposes only so we must add a non-admin realm.  From the admin console, below the Keycloak logo on the left, click on "Master" with the down arrow symbol and select the "Add realm" button.  Let's call the new realm heeadmin and save it.

Adding a client manually

Once the new realm has been added, we need to add a client.  This client is the account that will be used by Apache to call into Keycloak to validate the authorisation code that Keycloak passes via the browser for logged in users.

Click on the Client option on the left-hand menu and then the Create button at the top right above the list of existing clients.  Let's call the new client "apache"; save it.  The only required field here is the redirect URL (towards the bottom of the page).  Enter a URL within the area that will be protected by Keycloak and save.  You can also put just the host's root URL and a wildcard: http://server/*.


Installing mod_auth_openidc

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.
 

Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213